Active Directory Authentication not working

Hi,

We are trying to setup AD authentication following the guide:

https://support.oneidentity.com/identity-manager/kb/239053/sso-single-sign-on-is-not-working-for-the-web-portal

But, we don't want to disable the anonymous Authentication.

And It is not working with the DNS we have set.

we are getting the following error in the log:

2019-10-09 10:28:50.5744 WARN ( WebLog m1vgj5queat5ricdhb3jj5lo) : System.Exception: Single-sign-on failed, URL was /IdentityManager/page.axd?branchId=FIERA-IAMWEB127734&imx_culture=en-US ---> System.AggregateException: One or more errors occurred. ---> VI.Base.ViException: Failed to authenticate user. ---> VI.Base.ViException: The current user could not be determined.
at VI.DB.Auth.AdsAccountHelper.GetSsoIdentity(IAuthProps props)
at VI.DB.Auth.AuthModRoleBasedADSAccountBase.GetWindowsIdentity(IResolve services, IAuthProps props)
at VI.DB.Auth.AuthModRoleBasedADSAccountBase.GetPersonDataAsync(IDbSession dbSession, IResolve services, IAuthProps props, CancellationToken cancellationToken)
at VI.DB.Auth.AuthModRoleBasedBase.<AuthenticateAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at VI.DB.Auth.DbAuthenticator.<AuthenticateAsync>d__10.MoveNext()
--- End of inner exception stack trace ---
at VI.DB.Auth.DbAuthenticator.<AuthenticateAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at VI.DB.Entities.SessionFactoryImpl.<>c__DisplayClass15_0.<<OpenAsync>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at VI.DB.Entities.SessionFactoryImpl.<_OpenAsync>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at VI.DB.Entities.SessionFactoryImpl.<OpenAsync>d__15.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at VI.Base.SyncActions.Do[T](Func`1 function)
at VI.DB.Implementation.Connection.Authenticate(IAuthProps props)
at VI.WebRuntime.UserSession.HandleLogin(IAuthPropCollector auth)
at VI.WebRuntime.UserSession.Authenticate(IAuthPropCollector auth)
at VI.WebRuntime.Communication.RequestAuthenticationModule.TrySingleSignOn(HttpContextBase context, IUserSession userSession, IWebAppDbConfig configDoc)
--- End of inner exception stack trace --- System.Exception: Single-sign-on failed, URL was /IdentityManager/page.axd?branchId=FIERA-IAMWEB127734&imx_culture=en-US ---> System.AggregateException: One or more errors occurred. ---> VI.Base.ViException: Failed to authenticate user. ---> VI.Base.ViException: The current user could not be determined.
at VI.DB.Auth.AdsAccountHelper.GetSsoIdentity(IAuthProps props)
at VI.DB.Auth.AuthModRoleBasedADSAccountBase.GetWindowsIdentity(IResolve services, IAuthProps props)
at VI.DB.Auth.AuthModRoleBasedADSAccountBase.GetPersonDataAsync(IDbSession dbSession, IResolve services, IAuthProps props, CancellationToken cancellationToken)
at VI.DB.Auth.AuthModRoleBasedBase.<AuthenticateAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at VI.DB.Auth.DbAuthenticator.<AuthenticateAsync>d__10.MoveNext()
--- End of inner exception stack trace ---
at VI.DB.Auth.DbAuthenticator.<AuthenticateAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at VI.DB.Entities.SessionFactoryImpl.<>c__DisplayClass15_0.<<OpenAsync>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at VI.DB.Entities.SessionFactoryImpl.<_OpenAsync>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at VI.DB.Entities.SessionFactoryImpl.<OpenAsync>d__15.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at VI.Base.SyncActions.Do[T](Func`1 function)
at VI.DB.Implementation.Connection.Authenticate(IAuthProps props)
at VI.WebRuntime.UserSession.HandleLogin(IAuthPropCollector auth)
at VI.WebRuntime.UserSession.Authenticate(IAuthPropCollector auth)
at VI.WebRuntime.Communication.RequestAuthenticationModule.TrySingleSignOn(HttpContextBase context, IUserSession userSession, IWebAppDbConfig configDoc)

Parents
  • Hi,

    Does it work when Anonymous auth is disabled?

    The critical component here is IIS and whether it can authenticate the AD user.

    But this won't work if Anonymous is enabled.  What is the point of enabling SSO if anonymous is enabled?

    Trevor

  • Hi,

    Agree with Trevor.  Some other points not mentioned in that link above that I would check:

    • I would get it working in a well defined test environment first and then go from there.  The reason is that we are relying on the Windows security model and it very sensitive to things like DNS, Domain security etc.  If anything is off Windows will not pass the Kerberos tokens
    • For AD SSO, the Web Portal must be deployed on a machine that is a member of the Windows Domain
    • The AD Account you login with needs to be linked to a Person with at least one Identity Manager Application role
    • As a first step ensure that AD Role based authentication is working (still need to type the password but at least we confirm the AD auth is working)
    • In IE you should also ensure that to check the 'Enable Integrated Windows Authentication' in the Advanced options.  Other Web browsers have their own specific config for SSO.
    • In IIS: enable Anonymous on the IIS Server and Site level but enable only Windows Authentication on the Identity Manager web application
    • If SSL is in use make sure the Server certs are trusted by the Client
    • Diagnostics:
      • Yon turn on OneIM Trace level debugging in the Web Portal globallog.conf to see if the diagnostic logs show any more info
      • You can try Fiddler to see how far the authorization exchange is going in the browser

    hth,

    Rob

Reply
  • Hi,

    Agree with Trevor.  Some other points not mentioned in that link above that I would check:

    • I would get it working in a well defined test environment first and then go from there.  The reason is that we are relying on the Windows security model and it very sensitive to things like DNS, Domain security etc.  If anything is off Windows will not pass the Kerberos tokens
    • For AD SSO, the Web Portal must be deployed on a machine that is a member of the Windows Domain
    • The AD Account you login with needs to be linked to a Person with at least one Identity Manager Application role
    • As a first step ensure that AD Role based authentication is working (still need to type the password but at least we confirm the AD auth is working)
    • In IE you should also ensure that to check the 'Enable Integrated Windows Authentication' in the Advanced options.  Other Web browsers have their own specific config for SSO.
    • In IIS: enable Anonymous on the IIS Server and Site level but enable only Windows Authentication on the Identity Manager web application
    • If SSL is in use make sure the Server certs are trusted by the Client
    • Diagnostics:
      • Yon turn on OneIM Trace level debugging in the Web Portal globallog.conf to see if the diagnostic logs show any more info
      • You can try Fiddler to see how far the authorization exchange is going in the browser

    hth,

    Rob

Children
No Data